Carbanak
Associated Software Descriptions |
|
Name | Description |
---|---|
Anunak | (Citation: Fox-It Anunak Feb 2015) (Citation: FireEye CARBANAK June 2017) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
The Carbanak malware communicates to its command server using HTTP with an encrypted payload.(Citation: Kaspersky Carbanak) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.(Citation: FireEye CARBANAK June 2017) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Carbanak has a command to create a reverse shell.(Citation: FireEye CARBANAK June 2017) |
Enterprise | T1136 | .001 | Create Account: Local Account |
Carbanak can create a Windows account.(Citation: FireEye CARBANAK June 2017) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Carbanak encodes the message body of HTTP traffic with Base64.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017) |
Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.(Citation: FireEye CARBANAK June 2017) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Carbanak has a command to delete files.(Citation: FireEye CARBANAK June 2017) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Carbanak logs key strokes for configured processes and sends them back to the C2 server.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017) |
Enterprise | T1055 | .002 | Process Injection: Portable Executable Injection |
Carbanak downloads an executable and injects it directly into a new process.(Citation: FireEye CARBANAK June 2017) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.(Citation: FireEye CARBANAK June 2017) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0046 | FIN7 |
(Citation: Mandiant FIN7 Apr 2022) (Citation: FireEye FIN7 Aug 2018) (Citation: DOJ FIN7 Aug 2018) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FireEye FIN7 March 2017) (Citation: IBM Ransomware Trends September 2020) (Citation: FBI Flash FIN7 USB) |
G0008 | Carbanak |
(Citation: Kaspersky Carbanak) |
References
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
- Prins, R. (2015, February 16). Anunak (aka Carbanak) Update. Retrieved January 20, 2017.
- Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022.
- Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
- Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.
- The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.